ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    inetpub\wwwroot deleted somehow. OWA, ECP tanked.

    Scheduled Pinned Locked Moved IT Discussion
    14 Posts 3 Posters 755 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G I JonesG
      G I Jones
      last edited by

      As the title says we had the access to OWA & ECP on a single exchange server in our domain come to a screeching halt. I looked around a bit and found the wwwroot folder to be absent. I just made a new one and everything works again, but I'm curious for those of you who know more about vulnerabilities do you think this was an attack or a poorly executed update? Any best practice for preventing it in the future, attack or otherwise?

      DustinB3403D 1 Reply Last reply Reply Quote 0
      • DustinB3403D
        DustinB3403 @G I Jones
        last edited by DustinB3403

        @G-I-Jones File auditing would at least give you some insight as to what/who might have removed this directory, as for if this was malicious it seems like a small thing to attack if it was so easily recovered.

        ObsolesceO G I JonesG 2 Replies Last reply Reply Quote 2
        • ObsolesceO
          Obsolesce @DustinB3403
          last edited by

          @DustinB3403 said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

          @G-I-Jones File auditing would at least give you some insight as to what/who might have removed this directory, as for if this was malicious it seems like a small thing to attack if it was so easily recovered.

          File auditing would give exact details of who did what and when. I've used this a lot for investigations on Windows servers.

          1 Reply Last reply Reply Quote 3
          • G I JonesG
            G I Jones @DustinB3403
            last edited by

            @DustinB3403 @Obsolesce I have no experience with that. Is there a built-in feature or would you recommend a 3rd party?

            ObsolesceO 1 Reply Last reply Reply Quote 0
            • ObsolesceO
              Obsolesce @G I Jones
              last edited by Obsolesce

              @G-I-Jones said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

              @DustinB3403 @Obsolesce I have no experience with that. Is there a built-in feature or would you recommend a 3rd party?

              This is built in. It involves two basic steps:

              1. Enable the File System auditing in the System Audit Policies in the Local Security Policy.
              2. For the Folders you want to audit, enable auditing in the Advanced Security Settings window Auditing tab.

              The auditing results are found in your security event log.

              G I JonesG 1 Reply Last reply Reply Quote 1
              • G I JonesG
                G I Jones @Obsolesce
                last edited by

                @Obsolesce Appreciated.

                ObsolesceO 1 Reply Last reply Reply Quote 0
                • ObsolesceO
                  Obsolesce
                  last edited by Obsolesce

                  Screenshots, quick example of where to go (not necessarily the settings, that will depend):

                  39b86e3f-ed4a-440b-b2bf-0a14579dbef8-image.png

                  1e14e5d0-c6db-45bf-a6ce-91b515fe7833-image.png

                  1 Reply Last reply Reply Quote 0
                  • ObsolesceO
                    Obsolesce @G I Jones
                    last edited by

                    @G-I-Jones said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

                    @Obsolesce Appreciated.

                    One thing to note, if nothing else, is that enabling this has the potential to really grow your security event log. Make sure to configure that then as well to be handled appropriately, such as archiving, forwarding, etc.

                    G I JonesG 1 Reply Last reply Reply Quote 2
                    • G I JonesG
                      G I Jones @Obsolesce
                      last edited by

                      @Obsolesce @Obsolesce Thanks, figured it out. Can't seem to see anything from before today though and this happened yesterday. This is probably because when I initially set up the Exchange Server, I mistakenly put the database on the C drive (65GB) and then had to move it to the E Drive (6TB), but still had the transport logs, and IIS stuff saving to C which must've maxed out recently. Fixed all that this morning but it looks like everything was overwritten already. Thanks for the help anyway.

                      DustinB3403D 1 Reply Last reply Reply Quote 0
                      • DustinB3403D
                        DustinB3403 @G I Jones
                        last edited by

                        @G-I-Jones said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

                        see anything from before today though

                        That's expected, the logs were never created (and thus don't exist).

                        G I JonesG 2 Replies Last reply Reply Quote 0
                        • G I JonesG
                          G I Jones @DustinB3403
                          last edited by

                          @DustinB3403 Ah, you know that crossed my mind. Makes sense.

                          1 Reply Last reply Reply Quote 0
                          • G I JonesG
                            G I Jones @DustinB3403
                            last edited by

                            @DustinB3403 So since this appears to be in preparation for future issues, is the common practice to just audit every drive?

                            DustinB3403D ObsolesceO 2 Replies Last reply Reply Quote 0
                            • DustinB3403D
                              DustinB3403 @G I Jones
                              last edited by

                              @G-I-Jones said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

                              @DustinB3403 So since this appears to be in preparation for future issues, is the common practice to just audit every drive?

                              Most people would send the logs to an aggregate and use that, rather than individual servers. But yes.

                              1 Reply Last reply Reply Quote 0
                              • ObsolesceO
                                Obsolesce @G I Jones
                                last edited by

                                @G-I-Jones said in inetpub\wwwroot deleted somehow. OWA, ECP tanked.:

                                @DustinB3403 So since this appears to be in preparation for future issues, is the common practice to just audit every drive?

                                It depends on what you want to audit, and how much you want in your logs.

                                1 Reply Last reply Reply Quote 0
                                • 1 / 1
                                • First post
                                  Last post